jueves, 6 de marzo de 2008

Un truco con iptables

Para poder ver las cadenas de los diagramas lógicos del iptables (FireWalling) basta ingresar con el comando sudo. (Si uno es usuario sudoers) Sino como super-usuario.

sudo iptables -nvL

En mi caso da

Chain INPUT (policy ACCEPT 481K packets, 356M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
19200 1198K ACCEPT icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 41 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
390 25244 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
11403 1053K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 DROP tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:1022
0 0 DROP udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1:1022
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:1022
0 0 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1:1022

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 553K packets, 63M bytes)
pkts bytes target prot opt in out source destination


Para saber las políticas NAT (Network Address Translation) basta con ingresar

sudo iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 1312 packets, 174K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 104K packets, 5311K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * ppp0 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE 0 -- * ppp0 192.168.2.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 104K packets, 5311K bytes)
pkts bytes target prot opt in out source destination

En el caso de IPv6 para saber las políticas el comando es:

sudo ip6tables -nvL

Chain INPUT (policy ACCEPT 844 packets, 899K bytes)
pkts bytes target prot opt in out source destination
13662 1702K ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp tun * ::/0 ::/0 tcp dpt:80
30 3544 ACCEPT 0 lo * ::/0 ::/0
0 0 ACCEPT 0 eth0 * ::/0 ::/0
4 560 ACCEPT 0 eth1 * ::/0 ::/0
0 0 DROP udp tun * ::/0 ::/0 udp dpts:1:1024
4 320 DROP tcp tun * ::/0 ::/0 tcp dpts:1:1024

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT 0 * * 2001:5c0:8fff:fffe::/64 ::/0

Chain OUTPUT (policy ACCEPT 55727 packets, 4927K bytes)


Pero el NAT tiene otro tipo de tabla

sudo ip6tables -t mangle -nvL


Chain PREROUTING (policy ACCEPT 5326 packets, 1461K bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 5326 packets, 1461K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 15301 packets, 1469K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 15301 packets, 1469K bytes)
pkts bytes target prot opt in out source destination